[Freeipa-users] otp issue: can't log in with password+otp
Alexander Bokovoy
abokovoy at redhat.com
Fri Sep 25 07:09:55 UTC 2015
On Fri, 25 Sep 2015, Jan Pazdziora wrote:
>On Tue, Sep 22, 2015 at 08:55:53AM -0400, Nathaniel McCallum wrote:
>> On Mon, 2015-09-21 at 16:49 -0600, Duncan McNaught wrote:
>> > Dear freeipa-users,
>> >
>> > I'm having an issue with otp in freeipa. I can set up the service as
>> > described in the blog post for TOTP or HOTP, and sync the token fine.
>> > When I try to login to the admin tools or an ipa-managed client
>> > (with <password><token>) , I get a password incorrect message.
>> > Here are some more details: https://github.com/adelton/docker-freeipa
>> > /issues/34
>> > Can anyone help me to debug/get this working?
>>
>> I'm very unclear as to what you are trying to do. Are you trying to
>> run FreeIPA in a container? If so, Jan is probably your man. AFAIK,
>> ipa-otpd will require systemd in the container.
>
>Well, we have separate daemon listening on the
>/var/run/krb5kdc/DEFAULT.socket in the container which should start
>the ipa-otpd at .service when there's a connection made to it. But
>somehow it does not seem to be happening even if I fix the parsing of
>/etc/ipa/default.conf that ipa-otpd at .service is doing.
As I wrote earlier, ipa-otpd relies on socket activation feature of
systemd -- systemd opens this socket and listens for incoming
connections. Any incoming connection causes to start ipa-otpd daemon and
connects its stdin/stdout to the socket's client.
>What is the simplest way to trigger the connection to
>/var/run/krb5kdc/DEFAULT.socket, for debugging purposes?
Use socat. Something like
socat UNIX-LISTEN:/var/run/krb5kdc/DEFAULT.socket,unlink-early,fork EXEC:/usr/libexec/ipa-otpd
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list